52.6 Understanding the Authorization and Authentication Endpoints

OAuth Services has four authentication endpoints that receive and respond to HTTPS requests: the authorization endpoint, the token endpoint, the push endpoint, and the user consent revocation endpoint. Each endpoint is a URL that clients use to make requests.

The authentication endpoints are:

  • Authorization Endpoint – The client uses the Authorization Endpoint to get authorization from the resource owner to access the requested resources. The client application initiates the Authorization Endpoint request by sending its identifier, a requested scope defining the resource to which it wants access, and a redirection URI to which OAuth Services will direct the web browser once access is granted or denied. This endpoint accepts the HTTPS request. The URI for this endpoint always ends in authorize. For example:


  • Token Endpoint – The client application interacts with the Token Endpoint to exchange an authorization code grant for an access token. It is also used for Client Credentials grant type and resource owner credentials grant type to get an access token. The client uses a Refresh token to obtain a new access token. The URI for this endpoint always ends in token. For example:


  • Push Endpoint – Mobile OAuth Services client apps interact with the push endpoint to obtain (depending on configuration) part of the authorization codes, and/or part of the client tokens, access tokens, and refresh tokens that are sent through either the Apple Push Notification Service (APNS) or the Google Cloud Messaging (GCM) service. It can also be used for Mobile Client Verification code, Authorization Code and Client Tokens. For example, the end point for requesting data from APNS is:

  • User Consent Revocation Endpoint - Resource owners (end-users), who authenticate and authorize client applications using the browser-based authorization endpoint flow, use this endpoint to revoke their consent to client applications. For example:


When configuring clients with authorization code grant in the OAuth server, you also need to provide at least one client redirect URI where the server can return authorization credentials to the client.

  • Client Redirect URIs – The OAuth Services server returns authorization credentials to the client using the URI specified in the request provided that it exactly matches a URI configured in the client profile.